Network Security - TCP IP
Networksecurity basics <--- ---> Networksecurity übersicht
Layer 7 – Application, Layer 6 – Presentation, Layer 5 -Session
Layer 5-7 (port): FTP(20+21), Telnet(23), SMTP(21), POP2(110), IMAP4(143)
HTTP(80), SHTTP/SSL(443), DNS(53), SNMP(160), RPC(111), finger(79), TFTP(69),
NNTP(119), rlogin(513)
Layer 4 – Transport: TCP(6), UDP(17)
Layer 3 – Network: IP (v4 oder v6)
Layer 1-2 – Link: Ethernet, Token Ring, FDDI, PPP, X.25,
…
Layer 2 – Data Link: LLC(Logical Link Control), MAC
(Medium Access Control)
Layer 1 – Physical: PHY(Physical), PMD (Physical Medium
Dependent)
TCP/IP Protocol Stack
Application(L5-7): Interface to user application, Transport(L4):
Overall end-o-end communication in the network UDP/TCP, Network(L3): Communication
between networks through gateway IP, Link(L2): adjacent machines
Internetprotocol (IP)
Data size max 64kByte = 2^16
4bit Version, 4bit Header Length, 8bit Type of Service, 16bit total length(in Bytes) of IP-Datagram, 16bit Datagram Identification 3bit flags, 13 bit Fragment Offset, 8bit Time-to-live(TTL), 8bit Transport Protocol Type, 16bit Header Checksum, 32bit Source IP Adress, 32bit Destination IP Address, options, padding, IP Data
User Datagram Protocol (UDP)
Connectionless transport layer protocol, Interface
to IP without flow control or error-recovery
Source-Port(16bits), Destination Port(16 bits), Length(16bits),
Checksum(16bits), Data
Checksum: Summe von 16bit, gefalten(bsp. 2415Ch-20000h+2h=415E), Invertieren
(FFFFh-415Eh=BEA1h)
Transmission Control Protocol (TCP)
Connection Setup, Reliable Byte stream: each byte
acknowledged, connection oriented
Source Port(16bits), Destination Port(16bits), Sequence Number(32bits), Acknowledgement Number(32bits), Data Offset(4bits), Reserved(6bits), URG;ACK,PSH,RST,SYN,FIN, Window(16bits), Checksum(16bits),Urgent Pointer(16bits), Options and Padding, Data
Communication trough Protocol Data Unit(PDU), also known as Segments. TCP Sliding Window (Flow Control).
ISN = Initial Sequence Number. Anhand der ISN kann das Betriebssystem erkannt werden.
- IP address of the machine
- Port number used by the TCP software
MAC-Destn.-address,MAC-Source-address,Ether-type/Length, IP-Destinations-address, IP-Source-address, Protocol-Type, Portnumber, Datacontent
IP-Address: 195.65.129.11 -> ARP -> MAC-Address: 00:00:0F:00:B2:7B
MAC (Medium Access Controll): Induvidual/Group Bit,
Universal/Local Bit, Manufacturer Code(22bit), Address (24 bit)
nslookup, arp –a, ipconfig –all, winipcfg, ifconfig -a, netstat –a, ping www.hsr.ch, tracert www.hsr.ch
Alle durch Repeater verbundene Teilnetze nennt man Collision-Domain
Ist die Netzwerkkarte im Promiscous Mode werden alle Pakete betrachtet (sniffen)
Unassigned
Numbers:
10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255, 192.168.0.0 –
192.168.255.255
Loopback
Numbers:
127.x.y.z, 127.0.0.1=myself
Limited
Broadcast:
Network=000..0 Host=111..1
Directed
Broadcast:
Network=x
Host=111..1
Packet forwarding / filtering
Route determination: Distance Vector Protocol(RIP),
Link-State Protocol (Open shortes Path first OSPF)
Error reporting system providing consistent understandable error messages
framework for automatic configuration of IP hosts
- Privacy (Geheimhaltung, Datenschutz)
- Integrity (Datenfälschung)
- Authentication (Falscheinspeisung)
- non Repudiation (Beweisbarkeit)
Incident:
accident, bug, configuration / usage problems
Criminals:
malicious hackers, spys, organized crime
Terrorism:
attacks by organization
Information Warfare: attacks by states
Tiger
Team:
Paid team who tries to break into the system.
Art. 143: Absicht, sich oder einen anderen unrechmässig zu bereichern…bis 5
Jahre Gefängnis
ohne Bereicherungsabsicht..Gefägnis oder Busse
Art 144: Datenbeschädigung
Daten verändern, löschen oder unbrachbar macht...
bis 5 Jahre
Programme für Datenbeschädigung hersteellt, einführt, in Verkehr bringt, anpreist,
anbietet oder sonst wie zugänglich macht...bis 5 Jahre
Unsecure „Channels“:
communication channel(radio, copper cable, fiber cable)
storage media(disc, paper, tape...)
Perfect secrecy: the ciphertext fives no information about
the plaintext
Confidentiality(Vertraulichkeit), privacy, secrecy: nobody reads
Integrity: nobody forges (niemand modifiziert)
Authenticity: really the correct sender
Non Repudiation: sender can not deny message
High Availability (HA): system works when I need it
compressed plaintext is encrypted with (private) session (gemeinsamer
Schlüssel)
Private key encription(symmetric key systems):
Plaintext->Encipher Key1-> Ciphertext
-> Decipher Key1 -> Plaintext
Stream Cipher System, (pseudo) random key generator, Key is
a cipherstream.
Cipherstream must be as long as the plaintext (CDROM
with key)
Problems: each connection needs it’s own private key,
key distribution problem, n(n-1)/2 keys
Stream Cipher Algorithms:
-Linear Feedback Shift Register (LFSR)
-Rivest Cipher (RC4)
Block Cipher Systems:
If a bit gets lost, only a single block is defect
-Data Encription Standard (DES) / Simple DES, triple DES
-Inernational Data Encryption Algorithm(IDEA)
-CAST, Carlisle Adams and Stafford Tavares, Entrust
Technologies)
Public Key: verschlüsselt(Schloss), encrypts
Private Key: entschlüsselt(Schlüssel), decrypts
Solved by One-Way Function, Factorisation
PGP public key Algorithms
- Diffie-Hellman (DH)
- Rivest-Shamir-Adleman (RSA)
- Digital Signature Algorithm DSA, Digital Signature
Standard DSS
Public Key Distribution (PKD) System, typically DH
Public Key Cryptosystem (PKS), typically RSA
Diffie-Hellmann (DH) Algorithm:
1. Publish a large prime number p and (Exponent) a < p
2. Produce a large secret random prime number Ya (geheime
Zufallszahl)
3. Compute Ea = a^Ya mod(p)
4. Publish Ea -> public is a,p,Ea
5. A and B get a shared secret number by computing Kab=Eb^Ya
mod(p) = Ea^Yb mod(p)
PGP (Pretty good privacy): Keys are stored locally in public and private
(secret) key rings
secring.pkr Secret
keyring is encrypted under a Passphrase
PGP is a hybrid
crypto system: private and public key crypto system
Always assume, that the crypto machine i.e. algorithm is known
Ciphertext-only attack: use probable words, statistics
Known-plaintext attack: determine key from known ciphertext-plaintext
pairs (e.g. dear custumer=1A45FE)
Chosen-plaintext attack: determine key from chosen ciphertext-plaintext
(select words or patterns)
The longer the key, the more difficult to guess, to
break the system.
Exhaustive search (brute force attack): Try out all
keys until the decryption makes sense
public key system takes much more time than using a private
key
public key length must be larger than private key length
for comparable strength
ADK Additional Decryption key, you need two keys to open
MD Multipart Decryption, more than one key can open
create a key:
1. choose to great Primes p and q (e.g. about 512
bit long)
2. calculate n=pq. n is N bit long
3. choose e>1, teilfremd (not related) to (p-1)(q-1)
4. calculate d with de= 1 mod (p-1)(q-1)
5. n and e are the public, d is the private key
P(M) = M^e (mod n) RSA Publickey
S(C) = C^d (mod n) RSA Privatekey
S(P(M)) = M^(ed) (mod n)
cipher
1. Make cleartext-blocks from N-1 bit long(fill
up last block)
2. calculate m<n mod(c) by m^e / n. c is the
ciphertext and N bit long
decipher
1. make ciphertext-bloxk from N-bit long
2. calculate c<n mod of c^d / n
Public key systems can be used to sign messages, files, programs
and keys
Hash (message digest) to reduce the size of the message
to be signed
- Message Digest Function (MD5)
- Secure Hash Algorithm(SHA)
- Manually hand out key and check identity of owner
- Fetch key electronically and compare fingerprint
(by phone)
- Get key signed by somebody or some organisation
you trust an who’s signature you can verify
Web of Trust: keys which are signed by friends are considered
to be valid
Certification Authority (CA): checks ID of people, sign
key, stores certificates
for Authentification, Integrity, non-repudiation
Hierarchical Certification:
Internet Policy Registration Authority (IPRA)-> Policy
Creation Authorities (PCA)-> Certification Authories (CA) = Keys in Browser
-> user key
Certificates can be used for: Server- Client authentication, Code signing,
driver verification, e-mail, time stamping, ip security end system, tunnel termination,
trust list signing
critical extensions must be recognized
non-critical extension may be ignored
HTTP secured by SSL or TLS uses port 443
pop3s 995/tcp POP3 protocol over TLS/SSL
https://server.xyz.ch
SSL supports: Privacy, Server Authentication, optional
Client Authentication
Hybrid encryption scheme: Public Key System(e.g. RSA)
for session key exchange. 2.Systemmtric Key (RC4) for encryption
- Brute force attacks on 40bit key systems
- Known plaintext attacks (GET https://telebanking.xyz.com)
- Reply attack: send encrypted message twice
Telebank: Contractnumber, Password, Onetime-Password
Secure HTTP ( S-HTTP)
Secure HyperText Transfer Protocol, provides security
on applicationlayer
Networksecurity Basics <--- ---> Networksecurity übersicht